In an effort to continously improve the security of AEM, Adobe has introduced a feature called SSL By Default. The purpose is to encourage the use of HTTPS to connect to AEM instances.

Enabling SSL By Default

You can start configuring SSL By Default by clicking the relevant Inbox message from your AEM home screen. To reach the Inbox, press the bell icon in the upper right corner of the screen. Then, click on View All. This will bring up a list of all alerts ordered in a list view.

In the list, select and open the Configure HTTPS alert:

A service user called ssl-service has been created for this feature. Once you open the alert, you will be guided through the follwing configuration wizard:

First, set up the Store Credentials. These are the credentials for the ssl-service system user's key store that will contain the private key and trust store for the HTTPS listener.

Once you enter the credentials, click Next in the upper right corner of the page. Then, upload the associated private key and certificate for the SSL connection.

Note:

For info on how to generate a private key and a certificate to use with the wizard, see this procedure below.

Lastly, specify the TCP port for the HTTPS listener.

Automating SSL By Default

There are three ways of automating SSL By Default.

Via HTTP POST

The first method involves posting to the SSLSetup server that is being used by the configuration wizard:

POST /libs/granite/security/post/sslSetup.html

You can use the following payload in your POST to automate configuration:

The fastest way of running cURL to automate the SSL configuration is from the folder where the DER and CRT files are. Alternatively, you can specify the full path in the privatekeyFile and certificateFile arguments.

You also need to be authenticated in order to perform the update, so make sure you append the cURL command with the -u user:passeword parameter.